Effective and Privacy-Preserving Estimation of the Density Distribution of LBS Users under Geo-Indistinguishability

Abstract

With the widespread use of mobile devices, location-based services (LBSs), which provide useful services adjusted to users’ locations, have become indispensable to our daily lives. However, along with several benefits, LBSs also create problems for users because to use LBSs, users are required to disclose their sensitive location information to the service providers. Hence, several studies have focused on protecting the location privacy of individual users when using LBSs. Geo-indistinguishability (Geo-I), which is based on the well-known differential privacy, has recently emerged as a de-facto privacy definition for the protection of location data in LBSs. However, LBS providers require aggregate statistics, such as user density distribution, for the purpose of improving their service quality, and deriving them accurately from the location dataset received from users is difficult owing to the data perturbation of Geo-I. Thus, in this study, we investigated two different approaches, the expectation-maximization (EM) algorithm and the deep learning based approaches, with the aim of precisely computing the density distribution of LBS users while preserving the privacy of location datasets. The evaluation results show that the deep learning approach significantly outperforms other alternatives at all privacy protection levels. Furthermore, when a low level of privacy protection is sufficient, the approach based on the EM algorithm shows performance results similar to those of the deep learning solution. Thus, it can be used instead of a deep learning approach, particularly when training datasets are not available.

1. Introduction

Location-based services (LBSs) provide services that are adjusted to users’ current locations. With the widespread use of mobile devices, LBSs have become indispensable to our daily lives. In its early days, LBSs provided simple services such as directions and localized advertisements. However, with time they evolved to provide users with more complex services such as ride-sharing [1], mobile crowdsensing [2,3], mobile games [4], and disaster alarm services [5].

The demand for LBSs that can provide various services based on user location information is expected to continue to increase. However, similar to many other innovative services, LBSs also come with their problems. The main source of these problems is the fact that to use LBSs, users are required to disclose their location information to the LBS servers. Location data can easily be linked to sensitive information that individual users do not wish to disclose [6]. That is, by tracking users’ location information, inferring sensitive information, such as home and work addresses, hospital visit records, and behavioral patterns such as offline shopping preferences, is possible. Thus, without proper protection of sensitive location data, there is an inevitable risk that LBS users’ sensitive information may be exposed to unauthorized parties [6,7].

Extensive studies have focused on protecting the location privacy of individual users when using LBSs. The most common approaches include anonymization techniques [8,9], dummy location techniques [10], and cryptography mechanisms [11,12]. Differential privacy (DP) [13] has emerged as the de-facto standard for privacy-preserving computations, and several approaches have sought to apply the notion of DP to the protection of location data. Among them, geo-indistinguishability (Geo-I) has recently emerged as the de-facto privacy definition for protecting location data [14,15,16]. As Geo-I can guarantee rigorous location privacy against adversaries with arbitrary background knowledge, it has been widely adopted in many LBS applications [17,18,19,20].

For LBS providers, the location datasets collected from their service users are valuable assets that can be used to obtain aggregate statistics, which, in turn, can be exploited to improve the quality of the service they provide. For example, in mobile crowdsensing applications, information on worker distribution obtained from the collection of historical location data can be exploited in worker selection processes [3,19,20]. In point-of-interest recommendation applications, the transition pattern between two consecutive points of interest, which can be extracted by analyzing historical location datasets, is used to recommend the next point-of-interest candidate to users [21,22,23]. Furthermore, the location datasets collected in LBSs can be published to external third parties for data analysis [24,25].

1.1. Motivation

Geo-I is a perturbation-based technique and thus guarantees that the true locations of individual users are not disclosed to their LBS providers. This alleviates user concerns regarding privacy leaks. However, for LBS providers, such a location-privacy-preserving mechanism makes utilizing location datasets collected from users difficult.

Consider the motivational example shown in Figure 1. In this example, owing to privacy concerns, each user first perturbs their true location using Geo-I and then sends the perturbed location to the LBS server. The LBS server then provides the requested service to the user based on their perturbed location. Meanwhile, for the purpose of improving the service quality, the service provider wishes to know the aggregate statistics, such as the user density distribution in each specified time period. However, because of the data perturbation mechanism of Geo-I, deriving such statistics accurately from the collection of location data received from users is difficult.

1.2. Contributions

In this study, we aim to develop a novel method to effectively compute aggregate statistics, particularly the user density distribution, from the perturbed location data of LBS users collected using Geo-I. Information regarding the density distribution of users is commonly used in diverse LBS applications. For example, one of the most representative LBS applications that exploit information about user-density distribution is a digitized map service, such as Apple Maps [26], Google Maps [27], and Waze [28]. Digitized map services currently leverage information on the density distribution of users (i.e., vehicle drivers) on roads, which is collected from map users, to provide traffic information and driving directions to users. Another application is the epidemic map, which provides information about areas wherein there is a high risk of infection. During the COVID-19 outbreak, numerous studies on privacy-preserving COVID-19 vulnerability map construction were carried out. For example, Chen et al. [29] established a COVID-19 vulnerability map based on information on the density distribution of voluntary participants with COVID-19 symptoms, in which Geo-I was used to collect the location of participants in a privacy-preserving manner.

The main contributions of this study are summarized as follows:

• We developed a privacy-preserving framework for effectively computing the density distribution of LBS users based on the collection of users’ location information that has been obfuscated by the perturbation mechanism of Geo-I.
• For an accurate estimation of the density distribution of LBS users with perturbed location datasets, we explored two different approaches. The first approach leverages the functionality of the expectation-maximization (EM) algorithm to estimate the hidden information precisely (i.e., users’ true location) from observed data (i.e., users’ perturbed location). In the second approach, which is the deep learning–based approach, a generative adversarial network is first trained using the available training datasets, and then the trained generative network is used to generate the true density distribution from the perturbed location information.
• We evaluated the performance of the proposed algorithms using real and synthetic data. The evaluation results demonstrated that the proposed EM algorithm- and deep learning approaches significantly outperform the existing approaches. Furthermore, based on the evaluation results, we analyzed the features of the proposed approaches.

The remainder of this paper is organized as follows. Section 2 presents related work. In Section 3, we provide preliminary information. Section 4 presents two approaches to estimate the density distribution of LBS users using perturbed location datasets. In Section 5, we present the experimental evaluation of the proposed approach using real datasets. Finally, the conclusions are presented in Section 6.

2. Related Work

Geo-I has attracted considerable attention for diverse LBS applications. Here, we briefly summarize several key applications of Geo-I. Mobile crowdsourcing (MC) is a framework in which a large group of people (e.g., workers) voluntarily participate in the collection and sharing of data using mobile devices. MC platforms require workers to share their locations with MC servers so that sensing tasks can be allocated to the closest workers. This violates workers’ location privacy and is thus perceived as a deterrent factor in their willingness to participate in sensing tasks. Hence, several studies have proposed the use of Geo-I to protect worker location privacy by obfuscating their true locations [19,30,31]. Social network services, which provide users with a list of people nearby, are increasingly popular. Location-aware social network services can help people get connected, but they can create a location privacy problem at the same time. Accordingly, several studies have aimed at leveraging Geo-I to protect the location privacy of users in location-aware social network services [18,32]. In ride-sharing services such as Uber, Waze, and Lyft, users are required to share their location information (e.g., current and destination locations) to benefit from the service. In this process, there is the risk that the service user’s sensitive location data may be exposed. To address the location privacy challenge in ride-sharing services, Tong et al. [17] and Shi et al. [33] proposed scheduling schemes that employ Geo-I to protect the location information of ride-sharing users.

With the recent development of the Internet of Things (IoT), we are now regularly encountering various IoT-based services, such as healthcare services and smart grids, in our daily lives [34]. With the development of IoT, vehicles are equipped with various sensors and Internet access, which can then be used to gather traffic data and road information [35]. For example, vehicles can collect information on their road environments using cameras [36]. Accordingly, several studies have suggested the use of vehicles as workers on MC platforms. In [20], Geo-I was used to protect the locations of vehicles participating in MC. The method proposed in [20] first models a road map as a weighted directed graph and represents the locations of tasks and vehicles as points on the graph. Then, the location perturbation of Geo-I was achieved using a probabilistic distribution over the graph. To improve the quality of service in vehicle networks, Zhou et al. [37] developed edge-assisted vehicle networks in which Geo-I was deployed at the edge nodes to protect the actual location of the vehicle.

Although extensive studies have been conducted on Geo-I, most have focused on protecting individual users’ location privacy in LBSs; only a few recent studies have addressed the problem of computing aggregate statistics using Geo-I in LBSs. EGeoIndis [38], which is based on Geo-I, is a vehicle location privacy protection framework used to estimate traffic density. It applies Geo-I to protect the privacy of vehicle location during traffic density estimation. Chen et al. [29] relied on Geo-I to collect the locations of voluntary participants with COVID-19 symptoms in a privacy-preserving manner; the location data collected under Geo-I were used to construct a COVID-19 vulnerability map.

Several studies have been conducted on privacy-preserving density estimation in diverse application domains. Wu et al. [39] presented a privacy-preserving traffic density estimation system that uses a pseudonym server and location anonymization server to prevent the risk of privacy disclosure by vehicle drivers. Huang et al. [40] proposed a privacy-preserving traffic density estimation model that combined homomorphic encryption with the Laplace mechanism to protect users’ location privacy. Furthermore, to collect track data from users in a privacy-preserving manner, a sampling method is employed to reduce the spatial and temporal continuity of location information. Kim and Jang [41] proposed a method to collect location data from users in indoor environments. They exploited local DP, which is a local version of DP, to preserve the location privacy of users when collecting their indoor location information. The indoor location data collected under the local DP were then used to compute the user density in indoor environments. Wang et al. [42] presented a location protection method for mobile crowdsensing to preserve worker privacy. They leveraged the local DP to collect the location information of workers, which was then used to estimate the distribution of workers for mobile crowdsensing. Yang et al. [43] proposed a privacy framework for mobile crowdsensing in which the cell service provider collects locations from workers and releases worker density in a sanitized form, which is obtained using DP, to the crowdsensing server.

3. Preliminary

In this section, we first introduce the preliminaries used in this study, formally define the problem, and present baseline approaches.

3.1. Geo-Indistinguishability

Geo-I is an extended version of the well-known DP. To protect users’ location information against adversaries with arbitrary background knowledge, Geo-I introduces the distance metric between objects to the concept of DP. Formally, $ϵ$-Geo-I is defined as follows:

Definition 1 

($ϵ$-Geo-I). Let us assume that $\mathcal{X}$ represents a set of possible user locations. Let us further assume that a randomized mechanism, K, probabilistically generates a perturbed location from a true user’s location. Let $d(x,x^{\prime })$ be the distance between $x,x^{\prime }\in \mathcal{X}$, such as Euclidean distance between x and $x^{\prime }$. Then, K satisfies ϵ-Geo-I, if and only if for (1) all $x,x^{\prime }\in \mathcal{X}$ and (2) any output location, $y\in \mathcal{X}$ of K, the following is satisfied [6,14,15,16]:

$$K\left(x\right)\left(y\right)\le e^{ϵ·d(x,x^{\prime })}\times K\left(x^{\prime }\right)\left(y\right).$$

(1)

The above definition denotes that if x and $x^{\prime }$ are closely located to each other, the distribution of locations (i.e., $K\left(x\right)\left(y\right)$ and $K\left(x^{\prime }\right)\left(y\right)$) generated by the randomized mechanism K would similar to each other and thus, it is hard to distinguish that any output location, y, is generated from x or $x^{\prime }$. On the contrary, if they are located far away to each other, the distribution of locations generated by K would be relatively dissimilar and thus, an output location generated by x from by $x^{\prime }$ can be easily distinguished.

The parameter $ϵ$, which is a privacy budget, controls a tradeoff between the level of data utility and privacy. A large value of $ϵ$ provides a weak privacy guarantee, resulting in higher data utility. On the contrary, a small value of $ϵ$ provides strong privacy protection for location information, resulting in lower data utility.

There are two common approaches to archive $ϵ$-Geo-I: the Laplace mechanism [14] and optimization mechanism [15,16]. In terms of data utility, it is well known that the optimization mechanism can produce the perturbed locations with a higher utility than the Laplace mechanism. In the optimization mechanism, the LBS server first computes the perturbation matrix, M, by solving the following linear programming problem.

$$\begin{array}{ccc}\hfill min:& \sum _{x,y\in \mathcal{X}}{\pi }_{\mathcal{X}}·M[x,y]·d(x,y)\hfill & \\ \hfill s.t.:& M[x,y]\le e^{ϵ·d(x,x^{\prime })}\times M[x^{\prime },y]\hfill & x,x^{\prime },y\in \mathcal{X}\\ & \sum _{y\in \mathcal{X}}M[x,y]=1\hfill & x\in \mathcal{X}\\ & M[x,y]>0\hfill & x,y\in \mathcal{X}\end{array}$$

(2)

Here, $\pi$ is the prior probability distribution of user locations and can be defined using the available historical data. $M[x,y]$ denotes the probability that a perturbed location y is randomly generated from a true location x (i.e., $M[x,y]=K\left(x\right)\left(y\right)$).

Once the perturbation matrix is computed, M, the LBS server distributes it to LBS users. After receiving M, each user perturbs their true location according to the probabilities encoded in M, and sends the perturbed location to the LBS server along with a service request. Then, the LBS server provides the requested service to the user based on their perturbed location. We note that during this process, the true location of each user is not disclosed because the perturbation of location data is performed in his/her mobile device.

3.2. Problem Definition

In this subsection, the problems addressed in this study are defined. Let $U=\{u_1,u_2,\cdots ,u_n\}$ be a set of LBS users. In this study, we assumed that the spatial domain was partitioned into disjointed grids. Let $\mathcal{X}=\{x_1,x_2,\cdots ,x_m\}$ be the set of disjointed grids. The location of the user is then represented using a grid to which the user’s current location belongs geographically. Let $x_{u_k}\in \mathcal{X}$ be the location of the k-th user and $x_{u_k}^p\in \mathcal{X}$ be the corresponding perturbed location obtained using the perturbation matrix M.

Let $D{B}_s^p=\{x_{u_1}^p,x_{u_2}^p,\cdots ,x_{u_n}^p\}$ be the collection of perturbed locations maintained by the LBS server and received from n users in the s-th time period. The objective of this study is to compute the density distribution, $p\left(x_i\right)$ (where $1\le i\le m$), of LBS users in the s-th time period using the collection of perturbed locations $D{B}_s^p$.

3.3. Baseline Approaches

In this subsection, we present the baseline approaches. Given $D{B}_s^p$, the first baseline solution is to compute $p\left(x_i\right)$ directly based on $D{B}_s^p$:

$$p\left(x_i\right)=\frac{count(x_i,D{B}_s^p)}{n}$$

(3)

Here, $count(x_i,D{B}_s^p)$ represents the number of times location $x_i$ appears in $D{B}_s^p$. However, this straightforward approach cannot accurately estimate the user density distribution because it does not consider the effect of the Geo-I location perturbation mechanism.

A better solution to this problem is to exploit the probabilistic mapping information between the true and perturbed locations encoded in the perturbation matrix M. Given that M is distributed to each user by the LBS server, $M[x_i,x_k]$ denotes the probability that a perturbed location $x_k$ (corresponding to the location sent to the LBS server by a user) is randomly generated from the user’s true location $x_i$. The second baseline approach then considers the mapping probability information between a perturbed and true location when computing $p\left(x_i\right)$:

$$p\left(x_i\right)=\frac{{\sum }_{1\le k\le m}\left(M[x_i,x_k]\times count(x_k,D{B}_s)\right)}{n}$$

(4)

Note that by the definition of M, ${\sum }_{1\le k\le m}M[x_i,x_k]=1$; that is, when computing $p\left(x_i\right)$, the above approach considers the probabilities encoded in the perturbation matrix M that the perturbed location $x_k$ (where $1\le k\le m$) is generated randomly from the true location $x_i$.

4. Effective Privacy-Preserving Estimation of the Density Distribution of LBS Users

In this section, we present two approaches for accurately estimating the true density distribution of LBS users based on perturbed location datasets collected under the Geo-I setting.

4.1. Expectation-Maximization Algorithm-Based Approach

In this subsection, we describe the details of the EM algorithm approach to compute the density distribution of LBS users with the perturbed location datasets. The EM algorithm, which is frequently used to estimate a set of hidden parameters based on observed data, is an iterative method that sequentially runs the E-step (expectation) and M-step (maximization). The E-step computes the expected value of the likelihood based on the current parameters and observed variables, and the M-step re-estimates the parameters to maximize the likelihood function.

The process of the EM algorithm to compute the density distribution of LBS is defined as follows.

Initialization: In the initialized phase, the initial parameter ${\theta }^{\left(0\right)}$ is defined. ${\pi }_i^{\left(0\right)}$ is initialized with a uniform value, such as ${\pi }_i^{\left(0\right)}=p\left(x_i\right)=\frac{1}{m}$. We note that ${\pi }_i^{\left(0\right)}$ can be defined using the available historical data.

E-Step: Let $p^{\left(h\right)}\left(x_i|x_{u_t}^p\right)$ be a posterior probability for which, given the perturbed location $x_{u_t}^p$ (which is received from the t-th user $u_t$), the true location is $x_i$ under the current parameter ${\theta }^{\left(h\right)}$. Then, $p^{\left(h\right)}\left(x_i|x_{u_t}^p\right)$ can be computed by using Bayes’ theorem as follows:

$$\begin{array}{cc}\hfill p^{\left(h\right)}(x_i|x_{u_t}^p)& =P(x_i|x_{u_t}^p,{\theta }^{\left(h\right)})\hfill \\ & =\frac{P(x_i|{\theta }^{\left(h\right)})\times P(x_{u_t}^p|x_i,{\theta }^{\left(h\right)})}{P(x_{u_t}^p|{\theta }^{\left(h\right)})}\hfill \\ & =\frac{P(x_i|{\theta }^{\left(h\right)})\times P(x_{u_t}^p|x_i,{\theta }^{\left(h\right)})}{{\sum }_{j=1}^{m}P(x_j|{\theta }^{\left(h\right)})\times P(x_{u_t}^p|x_j,{\theta }^{\left(h\right)})}\hfill \\ & =\frac{{\pi }_i^{\left(h\right)}\times M[x_i,x_{u_t}^p]}{{\sum }_{j=1}^m{\pi }_j^{\left(h\right)}\times M[x_j,x_{u_t}^p]}\hfill \end{array}$$

(5)

We note that by the definition of the perturbation matrix, $M[x_i,x_{u_t}^p]$ is equal to $p(x_{u_t}^p|x_i)$.

By using Equation (6), for each received perturbed location $x_{u_t}^p\in D{B}_s$ and each grid $x_i\in \mathcal{X}$, the E-step computes the posterior probability $p^{\left(h\right)}(x_i|x_{u_t}^p)$ with the current parameter ${\theta }^{\left(h\right)}$.

M-Step: In this step, the parameters are recomputed based on the current posterior probabilities computed in the previous E-Step:

$${\pi }_i^{(h+1)}=\frac{{\sum }_{t=1}^n{p}^{\left(h\right)}(x_i|x_{u_t}^p)}{n}$$

(6)

The abovementioned E-step and M-step are repeated until the values of the parameters converge towards a stable value. Let us assume that the values of the parameters of the EM algorithm converge after h iterations. Then, $p\left(x_i\right)$ is computed as $p\left(x_i\right)={\pi }_i^{(h+1)}$.

4.2. Deep Learning–Based Approach

In this subsection, we present a deep learning approach to compute the density distribution of LBS users from perturbed location datasets collected under the Geo-I setting. The proposed method first trains a conditional generative adversarial network (cGAN) [44] such that it can generate the true density distribution from perturbed location datasets, and then exploits the well-trained generator of cGAN to estimate the density distribution from the given perturbed location data (Figure 2).

4.2.1. Training of Conditional Generative Adversarial Network

Let $DB=\{D{B}_1,D{B}_2,\cdots ,D{B}_v\}$ be the collection of training datasets in which $D{B}_r\in DB$ corresponds to a set of true locations of LBS users in the r-th time period. Let $D{B}_r^p$ be a set of perturbed locations generated from $D{B}_r$ by using the perturbation matrix M of Geo-I. Let us assume that $p_{true}\left(x_i\right)$ is the true density of the grid $x_i\in \mathcal{X}$ computed from $D{B}_r$. Similarly, $p\left(x_i\right)$ is defined as the perturbed density computed from $D{B}_r^p$ by using Equation (3). The proposed method first trains the generator of the cGAN such that it can generate the true density distributions $p_{true}\left(x_1\right),p_{true}\left(x_2\right),\cdots ,p_{true}\left(x_m\right)$ from the perturbed density distributions $p\left(x_1\right),p\left(x_2\right),\cdots ,p\left(x_m\right)$.

Figure 2 shows the cGAN structure utilized to estimate the density distribution of LBS users from perturbed location datasets. The cGAN structure comprises a generator (G) and discriminator (D). Given the perturbed density distribution and temporal information, such as daily and hourly information, the generator aims to generate density distributions that are similar to the true distributions. By contrast, the discriminator attempts to distinguish between the true density distributions and those from the generator.

The input to the generator comprises the following two parts: a noise vector $\overrightarrow{z}$ and condition vector $\overrightarrow{y}$. The condition vector $\overrightarrow{y}$ consists of the following two parts: the perturbed density distribution vector $\overrightarrow{p}$ and the temporal information vector $\overrightarrow{t}$. The perturbed density distribution, $p\left(x_1\right),p\left(x_2\right),\cdots ,p\left(x_m\right)$, is encoded into the m-dimensional perturbed density distribution vector $\overrightarrow{p}=[p\left(x_1\right),p\left(x_2\right),\cdots ,p\left(x_m\right)]$ such that the value of the i-th element corresponds to $p\left(x_i\right)$. For the temporal information, a one-hot encoder was used to represent the attributes as high-dimensional vectors. In this study, both daily and hourly information were used as temporal information. The daily information attribute was encoded into 7-dimensional binary vectors ${\overrightarrow{t}}_d$, and the hourly information was encoded into 24-dimensional binary vectors ${\overrightarrow{t}}_h$. These two vectors ${\overrightarrow{t}}_d$ and ${\overrightarrow{t}}_h$ are concatenated into $\overrightarrow{t}$. Subsequently, the perturbed density distribution vector $\overrightarrow{p}$ and temporal information vector $\overrightarrow{t}$ are concatenated into $\overrightarrow{y}$.

The noise vector $\overrightarrow{z}$ is defined as an m-dimensional vector. Note that m denotes the grid set size. The value of each element in $\overrightarrow{z}$ corresponds to a value randomly sampled from the Gaussian distribution $\mathcal{N}(\mu ,\sigma )$. The generator takes the noise vector $\overrightarrow{z}$ and condition vector $\overrightarrow{y}$ as the input and generates the synthetic density distribution vector ${\overrightarrow{d}}_{syn}$, which is represented in m-dimensional space.

The discriminator of the cGAN is responsible for distinguishing between fake and real data instances. The discriminator input contains two parts: a density distribution vector and a condition vector. The density distribution vector ${\overrightarrow{d}}_{true}$ of real data instances is generated with the true density distribution, $p_{true}\left(x_1\right),p_{true}\left(x_2\right),\cdots ,p_{true}\left(x_m\right)$, whereas that of fake data instances correspond to the output vector of the generator (i.e., $G(\overrightarrow{z},\overrightarrow{y})={\overrightarrow{d}}_{syn}$). The discriminator outputs a scalar value (i.e., 0 or 1) indicating whether the input density distribution vector is real or fake.

With the cGAN training procedure, the generator attempts to fool the discriminator such that it believes that the synthetically generated data by the generator are real, whereas the discriminator attempts to distinguish between the real and synthetic data generated by the generator. This can be represented using a min–max optimization problem as follows [44]:

$$\underset{G}{min}\underset{D}{max}V(G,D)={\mathbb{E}}_{{\overrightarrow{d}}_{true}\sim p_{data}({\overrightarrow{d}}_{true})}[logD({\overrightarrow{d}}_{true},\overrightarrow{y})]+{\mathbb{E}}_{\overrightarrow{z}\sim p(\overrightarrow{z})}[log(1-D(G(\overrightarrow{z},\overrightarrow{y}),\overrightarrow{y}))]$$

(7)

Here, $p_{data}({\overrightarrow{d}}_{true})$ is the true density distribution of the training data and $p(\overrightarrow{z})$ corresponds to a Gaussian distribution $\mathcal{N}(\mu ,\sigma )$. The cGAN was trained by alternately updating the generator and discriminator parameters.

4.2.2. Estimating Density Distributions with Trained cGAN

Once training of the cGAN is complete, its well-trained generator can be used to infer the current true density distribution from the perturbed location data received from users under Geo-I. As shown in Figure 2, the input to the trained generator comprises the following two parts: a noise vector $\overrightarrow{z}$ and a condition vector $\overrightarrow{y}$ containing both the current perturbed densities and temporal information. The trained generator then generates an m-dimensional synthetic density distribution vector ${\overrightarrow{d}}_{syn}$, which corresponds to the estimated density distribution vector. That is, the synthetic density distribution vector ${\overrightarrow{d}}_{syn}$ is decoded such that the value of the i-th element of ${\overrightarrow{d}}_{syn}$ (i.e., ${\overrightarrow{d}}_{syn}\left[i\right]$) is the estimated density of the grid $x_i\in \mathcal{X}$.

5. Experiments

In this section, we first describe the experimental and implementation setup and then discuss the experimental results.

5.1. Experimental Setup

We report the results for the following alternatives: the first baseline approach ($B{A}_1$), described in Section 3.3; the second baseline approach ($B{A}_2$) that leverages probabilistic mapping information between true and perturbed locations, presented in Section 3.3; the EM algorithm-based approach ($EA$), described in Section 4.1; and the deep learning-based approach ($DA$), discussed in Section 4.2. We also report the results for the Laplace mechanism approach ($LA$) used in [29] in which the perturbed location is obtained by adding noise to an original location to obtain an obfuscated location and the obfuscated location is mapped to the closest grid. In the experiment, we used the mean absolute error (MAE) to compare the following four alternative approaches:

$$MAE=\frac{1}{m}\times \sum _{i=1}^m|p\left(x_i\right)-p_{true}\left(x_i\right)|$$

(8)

Here, $p_{true}\left(x_i\right)$ represents the true density of grids $x_i$ and $p\left(x_i\right)$ denotes the density estimated using the perturbed location datasets collected under Geo-I.

For evaluation, we used two datasets.

• Seoul Metro datasets [45], which correspond to real datasets, contain information on the number of passengers using each metro station each hour. For our experiments, we selected 114 stations, each of which is regarded as a grid. Then, we extracted the number of passengers using each station for each hour, which is considered as the number of LBS users in each grid. We divided the entire datasets into training and testing datasets. The training datasets, which contained 10,500 h datasets, were used for training the cGAN structure of the $DA$, as discussed in Section 4.2, whereas the testing datasets, containing the remaining 2658 h datasets, were used for evaluating the four approaches. We note that four approaches, $B{A}_1$, $B{A}_2$, $EA$, and $LA$, did not require the training datasets.
• We also synthetically generated datasets for evaluation purposes. These datasets contained 225 grids. For each grid, the number of LBS users was randomly generated under the Gaussian distribution. For our experiments, we generated 20,000 training datasets, which were used for training the cGAN structure of the $DA$, and 3000 testing datasets, which were used to evaluate the four different approaches. For each data, the Gaussian distribution with different standard deviations, randomly selected between 1.0 and 10, was used.

In the experiment, we used the following cGAN structure for $DA$. The generator of the cGAN consisted of four fully connected layers. In each intermediate hidden layer, the ReLU activation was used, whereas the sigmoid activation was used in the final layer. The discriminator of the cGAN has three fully connected layers, in which each hidden layer uses ReLU activation, except for the final layer, in which sigmoid activation is used. The cGAN model was implemented using PyTorch 1.13 with two Intel Xeon 5220R CPUs and an Nvidia RTX A6000 GPU.

5.2. Results

Figure 3 shows the effect of the privacy budget $ϵ$ on the MAE. In the experiments, $ϵ$ varies from 0.1 to 1.5. For all the methods, the MAE decreased as the privacy budget increased from 0.1 to 1.5. This is because a smaller value of $ϵ$ for Geo-I ensures stronger privacy protection by introducing larger perturbations into the true location. This, in turn, leads to a decreased utility of the collected data, resulting in an increased MAE. In contrast, a larger value of $ϵ$ introduces a smaller perturbation to the true location, thereby guaranteeing weaker privacy protection. Thus, with a larger value of $ϵ$, high data utility of the collected data can be achieved, which leads to a low MAE.

As shown in the figure, $DA$, which is based on cGAN, outperforms the other approaches. The performance gap between $DA$ and the other approaches (i.e., $B{A}_1$, $B{A}_2$, $EA$, and $LA$) increases significantly as $ϵ$ decreases. However, as $ϵ$ increases, and thus, the level of privacy protection decreases, the performance gap between $DA$ and the other approaches decreases. In particular, when $ϵ$ is set to 1.5, the $EA$ shows a performance in MAE similar to that of the $DA$. Among the four alternatives that do not require training datasets, the $EA$, which is based on the EM algorithm, significantly outperforms $B{A}_1$, $B{A}_2$ and $LA$ at all privacy budget levels. These evaluation results demonstrate that significant performance gains can be achieved by the proposed approaches, $DA$ and $EA$, compared to the baseline schemes.

To further investigate the performance gap between the $EA$ and $DA$, we plotted the MAE for each individual testing dataset in Figure 4. Here, the x-axis represents the index number of each testing dataset of the Seoul Metro datasets, and the y-axis represents the MAE values. Note that the size of the Seoul Metro testing datasets was 2658. The figure also shows the standard deviation values of the two approaches used to observe the variations in the results. As shown in the figure, in most cases, the $DA$ shows better results than the $EA$, which is consistent with the previous results in Figure 3. In addition, it was observed that the $DA$ produces more stable results than the $EA$ when a high level of privacy protection is required. In contrast, when the privacy protection level is low (i.e., $ϵ=1.5$), the $EA$ shows slightly more stable results than the $DA$. This is verified using the standard deviation values reported in the figure. When $ϵ$ was set to 1.5, the standard deviation of the $EA$ was slightly lower than that of the $DA$. However, for cases where $ϵ$ was set to 0.1, 0.5, and 1.0, the standard deviation values of $DA$ were significantly lower than those of $EA$.

Figure 5 shows the impact of the size of the training datasets on the performance of $DA$. In the experiments, Seoul Metro datasets were used, and the size of the training datasets varied from 1000 to 10,500. Four privacy budgets (0.1, 0.5, 1.0, and 1.5) are used in the experiments. For comparison, we also plotted $EA$, which shows the best performance among the approaches that do not require training datasets. As expected, the MAE of $DA$ decreased as the size of the training datasets increased. As can be observed in the figure, for the case when the privacy protection level is high (i.e., $ϵ=0.1,0.5$), $DA$ shows a better performance than $EA$, even when a small amount (i.e., 1000) of training data is used to train the cGAN of $DA$. These results indicate that, with sufficiently large training datasets, a good estimation of the density distribution of LBS users can be achieved with the proposed $DA$.

We also compared the execution times of $DA$ and $EA$. The execution time of $DA$ comprises training and estimation times.

Table 1. Training time of $DA$ for varying training dataset sizes.

Training data size	1000	2000	4000	6000	8000	10,500
Training time (s)	38	65	127	195	259	324

lists the overall training times of $DA$ for various training dataset sizes. In the experiments, Seoul Metro datasets were used, and the size of the training datasets varied from 1000 to 10,500. The number of epochs was set to 200, and the privacy budget was fixed at 1.0. The table shows that the training time increases linearly with an increase in the training dataset size. The density distribution estimation time for $DA$ is approximately 0.165 s. In the case of $EA$, the execution time corresponds to the estimation time because $EA$ does not require model training. The density distribution estimation time of $EA$ is approximately 0.347 s.

5.3. Discussion

Based on the experimental results, we discuss the features of the two proposed methods, $EA$ and $DA$. The evaluation results verified that the deep learning approach, $DA$, significantly outperformed the other alternatives, particularly when a high level of privacy protection was required. However, $DA$ requires training datasets to train the underlying cGAN model. Thus, $DA$ is suitable for the case where protecting the location privacy of LBS users is of the highest priority and sufficient training datasets are available.

On the contrary, in the case where a low level of privacy protection is sufficient, the EM algorithm approach, $EA$, shows a similar performance to that of the $DA$. Hence, the $EA$ is recommended for cases where a low level of privacy protection for LBS users is sufficient. In addition, unlike $DA$, $EA$ does not require any training datasets; thus, it is suitable for cases in which these are not available.

6. Conclusions

We presented an effective privacy-preserving framework to estimate the density distribution of LBS users based on a collection of user location information obfuscated by the perturbation mechanism of Geo-I. In particular, we explored two approaches: the EM algorithm and deep learning approaches. The evaluation results with real and synthetic data demonstrated that if there are sufficient training datasets, the deep learning approach significantly outperforms the other alternatives at all privacy protection levels. In the case where training datasets are not available, a significant reduction in error rates can be achieved using the approach based on the EM algorithm compared with the baseline approaches.